SECURITY PoC — Open Redirect Data Capture
This page is hosted on notelastic.co (attacker-controlled domain).
The user was redirected here from cloud.elastic.co after a legitimate login.
1. Redirect Evidence
| Timestamp | 2026-04-02T07:28:48.907Z |
| Landing URL | https://notelastic.co/sitemap.xml |
| Referer Header | none |
| User IP | 216.73.216.37 |
| Country | US |
| User-Agent | Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) |
2. All Request Headers (leaked to attacker)
| Header | Value |
|---|
| accept | */* |
| accept-encoding | gzip, br |
| cf-connecting-ip | 216.73.216.37 |
| cf-ipcountry | US |
| cf-ray | 9e5e1e71acfdd96e |
| cf-visitor | {"scheme":"https"} |
| connection | Keep-Alive |
| host | notelastic.co |
| user-agent | Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) |
| x-forwarded-proto | https |
| x-real-ip | 216.73.216.37 |
3. Cookies (leaked to attacker)
none
4. URL Query Parameters
5. Attack Summary
Attack URL: https://cloud.elastic.co/login?redirectTo=https://notelastic.co/capture
Bypass: "notelastic.co".endsWith("elastic.co") === true
Result: After legitimate login on cloud.elastic.co, user is redirected to this attacker-controlled page.
Impact: Referer header leaks origin. During redirect chain, Okta session token is leaked to third-party analytics (LinkedIn, Google Analytics) via URL parameters.
This page is a security Proof-of-Concept for HackerOne report #3637929.
No credentials are collected, stored, or exfiltrated. Domain registered solely for authorized security testing.